diff options
author | mgrooms <mgrooms@shrew.net> | 2009-03-15 06:14:54 +0000 |
---|---|---|
committer | mgrooms <mgrooms@shrew.net> | 2009-03-15 06:18:35 +0000 |
commit | 4b96b3675a8ee4fd0d276ad0a7c3b8b93bd14cac (patch) | |
tree | 958b9cad6a732f92151e4d2fb4238125af08150c /etc | |
parent | 030f0cb794e2cc477432aa108eceb3dd2a01a4b0 (diff) | |
download | pfsense-4b96b3675a8ee4fd0d276ad0a7c3b8b93bd14cac.zip pfsense-4b96b3675a8ee4fd0d276ad0a7c3b8b93bd14cac.tar.gz |
Modify IPsec code to allow for transport mode. All existing configurations are
marked as tunnel for backwards compatibility. There are problems with the spd
read code which Will likely choke on transport entries. We can fix this later.
Diffstat (limited to 'etc')
-rw-r--r-- | etc/inc/globals.inc | 4 | ||||
-rw-r--r-- | etc/inc/ipsec.inc | 4 | ||||
-rw-r--r-- | etc/inc/upgrade_config.inc | 8 | ||||
-rw-r--r-- | etc/inc/vpn.inc | 136 |
4 files changed, 102 insertions, 50 deletions
diff --git a/etc/inc/globals.inc b/etc/inc/globals.inc index c8ae12d..bab855b 100644 --- a/etc/inc/globals.inc +++ b/etc/inc/globals.inc @@ -32,7 +32,7 @@ */ $g = array( - "factory_shipped_username" => "admin", + "factory_shipped_username" => "admin", "factory_shipped_password" => "pfsense", "upload_path" => "/root", "dhcpd_chroot_path" => "/var/dhcpd", @@ -58,7 +58,7 @@ $g = array( "product_website_footer" => "http://www.pfsense.org/?gui20", "product_email" => "coreteam@pfsense.org", "debug" => false, - "latest_config" => "5.7", + "latest_config" => "5.8", "nopkg_platforms" => array("cdrom"), "minimum_ram_warning" => "115", "minimum_ram_warning_text" => "128 megabytes", diff --git a/etc/inc/ipsec.inc b/etc/inc/ipsec.inc index 6e206b3..44853d6 100644 --- a/etc/inc/ipsec.inc +++ b/etc/inc/ipsec.inc @@ -77,6 +77,10 @@ $p1_authentication_methods = array( 'rsasig' => array( 'name' => 'Mutual RSA', 'mobile' => false ), 'pre_shared_key' => array( 'name' => 'Mutual PSK', 'mobile' => false ) ); +$p2_modes = array( + 'tunnel' => 'Tunnel', + 'transport' => 'Transport'); + $p2_protos = array( 'esp' => 'ESP', 'ah' => 'AH'); diff --git a/etc/inc/upgrade_config.inc b/etc/inc/upgrade_config.inc index e8d6192..db59e6f 100644 --- a/etc/inc/upgrade_config.inc +++ b/etc/inc/upgrade_config.inc @@ -1725,4 +1725,12 @@ function upgrade_056_to_057() { unset($config['captiveportal']['user']); } } + +function upgrade_057_to_058() { + global $config; + /* set all phase2 entries to tunnel mode */ + if (is_array($config['ipsec']['phase2'])) + foreach($config['ipsec']['phase2'] as & $ph2ent) + $ph2ent['mode'] = 'tunnel'; +} ?> diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc index 1e9ea34..18090db 100644 --- a/etc/inc/vpn.inc +++ b/etc/inc/vpn.inc @@ -587,75 +587,103 @@ EOD; $ikeid = $ph2ent['ikeid']; + if( !ipsec_lookup_phase1($ph2ent,$ph1ent)) + continue; + + if (isset($ph1ent['disabled'])) + continue; + if (isset($ph2ent['disabled'])) continue; if (isset($ph2ent['mobile']) && !isset($a_client['enable'])) continue; - $localid_type = $ph2ent['localid']['type']; - if ($localid_type != "address") - $localid_type = "subnet"; + if ($ph2ent['mode'] == 'tunnel') { - $localid_data = ipsec_idinfo_to_cidr($ph2ent['localid']); - $localid_spec = $localid_type." ".$localid_data." any"; + $localid_type = $ph2ent['localid']['type']; + if ($localid_type != "address") + $localid_type = "subnet"; - if (!isset($ph2ent['mobile'])) { + $localid_data = ipsec_idinfo_to_cidr($ph2ent['localid']); + $localid_spec = $localid_type." ".$localid_data." any"; - $remoteid_type = $ph2ent['remoteid']['type']; - if ($remoteid_type != "address") - $remoteid_type = "subnet"; + if (!isset($ph2ent['mobile'])) { + $remoteid_type = $ph2ent['remoteid']['type']; + if ($remoteid_type != "address") + $remoteid_type = "subnet"; - $remoteid_data = ipsec_idinfo_to_cidr($ph2ent['remoteid']); - $remoteid_spec = $remoteid_type." ".$remoteid_data." any"; + $remoteid_data = ipsec_idinfo_to_cidr($ph2ent['remoteid']); + $remoteid_spec = $remoteid_type." ".$remoteid_data." any"; + } else + $remoteid_spec = "anonymous"; - } else - $remoteid_spec = "anonymous"; + } else { - $ealgos = ''; - $halgos = join(",", $ph2ent['hash-algorithm-option']); + $rgip = $rgmap[$ph1ent['remote-gateway']]; - $pfsline = ''; - if ($ph2ent['pfsgroup']) - $pfsline = "pfs_group {$ph2ent['pfsgroup']};"; - if (isset($a_client['pfs_group'])) { - $pfsline = ''; - if ($a_client['pfs_group']) - $pfsline = "pfs_group {$a_client['pfs_group']};"; + $localid_data = ipsec_get_phase1_src($ph1ent); + $localid_spec = "address {$localid_data}"; + + $remoteid_data = $rgmap[$ph1ent['remote-gateway']]; + $remoteid_spec = "address {$remoteid_data}"; } - $lifeline = ''; - if ($ph2ent['lifetime']) - $lifeline = "lifetime time {$ph2ent['lifetime']} secs;"; + if($ph2ent['proto'] == "esp") { + + $ealgos = ''; - foreach ($ph2ent['encryption-algorithm-option'] as $ealg) { + foreach ($ph2ent['encryption-algorithm-option'] as $ealg) { - $ealg_id = $ealg['name']; - $ealg_kl = $ealg['keylen']; + $ealg_id = $ealg['name']; + $ealg_kl = $ealg['keylen']; - if ($ealg_kl) { - if( $ealg_kl == "auto" ) { - $key_hi = $p2_ealgos[$ealg_id]['keysel']['hi']; - $key_lo = $p2_ealgos[$ealg_id]['keysel']['lo']; - $key_step = $p2_ealgos[$ealg_id]['keysel']['step']; + if ($ealg_kl) { + if( $ealg_kl == "auto" ) { + $key_hi = $p2_ealgos[$ealg_id]['keysel']['hi']; + $key_lo = $p2_ealgos[$ealg_id]['keysel']['lo']; + $key_step = $p2_ealgos[$ealg_id]['keysel']['step']; - for ($keylen = $key_hi; $keylen >= $key_lo; $keylen -= $key_step) { - if( $ealgos ) + for ($keylen = $key_hi; $keylen >= $key_lo; $keylen -= $key_step) { + if ($ealgos) + $ealgos = $ealgos.", "; + $ealgos = $ealgos.$ealg_id." ".$keylen; + } + } else { + if ($ealgos) $ealgos = $ealgos.", "; - $ealgos = $ealgos.$ealg_id." ".$keylen; + $ealgos = $ealgos.$ealg_id." ".$ealg_kl; } } else { if ($ealgos) $ealgos = $ealgos.", "; - $ealgos = $ealgos.$ealg_id." ".$ealg_kl; + $ealgos = $ealgos.$ealg_id; } - } else { - if ($ealgos) - $ealgos = $ealgos.", "; - $ealgos = $ealgos.$ealg_id; } + + $ealgosline = "encryption_algorithm {$ealgos};"; + + } else { + + $ealgosline = "encryption_algorithm null_enc;"; } + $halgos = join(",", $ph2ent['hash-algorithm-option']); + $halgosline = "authentication_algorithm {$halgos};"; + + $pfsline = ''; + if ($ph2ent['pfsgroup']) + $pfsline = "pfs_group {$ph2ent['pfsgroup']};"; + if (isset($a_client['pfs_group'])) { + $pfsline = ''; + if ($a_client['pfs_group']) + $pfsline = "pfs_group {$a_client['pfs_group']};"; + } + + $lifeline = ''; + if ($ph2ent['lifetime']) + $lifeline = "lifetime time {$ph2ent['lifetime']} secs;"; + /* add sainfo section to configuration */ $racoonconf .=<<<EOD @@ -663,11 +691,11 @@ EOD; sainfo {$localid_spec} {$remoteid_spec} { remoteid {$ikeid}; - encryption_algorithm {$ealgos}; - authentication_algorithm {$halgos}; - compression_algorithm deflate; + {$ealgosline} + {$halgosline} {$pfsline} {$lifeline} + compression_algorithm deflate; } EOD; @@ -735,11 +763,23 @@ EOD; mwexec("/sbin/ifconfig gif" . $number_of_gifs . " {$lansa}/{$lansn} {$lanip}/32"); } - $spdconf .= "spdadd {$localid} {$remoteid} any -P out ipsec " . - "{$ph2ent['protocol']}/tunnel/{$ep}-{$rgip}/unique;\n"; + if($ph2ent['mode'] == "tunnel") { + + $spdconf .= "spdadd {$localid} {$remoteid} any -P out ipsec " . + "{$ph2ent['protocol']}/tunnel/{$ep}-{$rgip}/unique;\n"; + + $spdconf .= "spdadd {$remoteid} {$localid} any -P in ipsec " . + "{$ph2ent['protocol']}/tunnel/{$rgip}-{$ep}/unique;\n"; - $spdconf .= "spdadd {$remoteid} {$localid} any -P in ipsec " . - "{$ph2ent['protocol']}/tunnel/{$rgip}-{$ep}/unique;\n"; + } else { + + $spdconf .= "spdadd {$localid} {$remoteid} any -P out ipsec " . + "{$ph2ent['protocol']}/transport//unique;\n"; + + $spdconf .= "spdadd {$remoteid} {$localid} any -P in ipsec " . + "{$ph2ent['protocol']}/transport//unique;\n"; + + } /* static route needed? */ if (preg_match("/^carp/i", $ph1ent['interface'])) |